The only major difference between SSL & TLS (Secure Sockets Layer & Transport Layer Security) is that TLS is an updated and more secured version of SSL. Still these security certificates are widely recognized as SSL, just because it's a more commonly used term, but in reality whenever someone buys an SSL certificate, they are actually buying the latest TLS certificates with the option of ECC, RSA or DSA encryption. SSL (Secure Sockets Layer) & TLS (Transport Layer Security), are both protocols used for the encryption of network data. They use encryption, hash functions or message digests, and digital signatures to provide confidentiality, integrity and authentication for data in transit.

We need to download the scripts for qmail-smtpd, qmail-smtpd-ssl and qmail-send. We will start with making all the needed directories and stuff like that so lets get to it!

First lets setup your postmaster qmail aliases. Replace postmaster@domain.xxx in the next three lines with the address you want the emails to go to:


# echo postmaster@domain.xxx > /var/qmail/alias/.qmail-root
# echo postmaster@domain.xxx > /var/qmail/alias/.qmail-postmaster
# echo postmaster@domain.xxx > /var/qmail/alias/.qmail-mailer-daemon

Second thing we need to do is edit all the smtpd files in the ~root/qmail folder then start all the services. The only change we will need to make in these files is the IP address. Change this to the local address of the server (or just the listening IP).

You should set the following value in each file:

IP=1.2.3.4 Substitute your own IP address. Do not leave this set to 0 without a good reason.


# cd ~root/qmail
# vi smtpd_run

Earlier in the guide we configured validrcptto. Once you have added the local IP we need to enable validrcptto.

Uncomment the 2 lines below


VALIDRCPTTO_CDB="$VQ/control/validrcptto.cdb"
VALIDRCPTTO_LOG=2

In the following 2 files just edit the IP to be your local IP address.


# vi smtpd_run_ssl


# vi smtpd_run_tls

All authentication services are disabled on port 25 and only secure SSL and TLS authentication services will be running. All incoming mail will be filtered using RBLs, and qmail-scanner or simscan to help thwart spam.

Now lets make the supervise directory and get everything copied over. The qmail.sh below has about 30 commands on copying the appropriate files into the correct folders. Please feel free to take a look at the qmail.sh file to see exactly what it's doing. It is copying all qmail-smtpd, qmail-smtpd-ssl and qmail-send run files for the service and log.


# ./qmail.sh

Now we want to setup selective relaying:


# mkdir /etc/tcp/
# cd /etc/tcp
# cp ~root/qmail/etc-tcp-makefile Makefile

Now we need to create the smtp file

At this point it should be ready to go. All you need to do is create the "smtp" file, containing the normal access control list. You may want to add the IP of the server you specified in the /var/qmail/supervise/qmail-smtpd/run file in the /etc/tcp/smtp file. Lets say the IP you used was 192.168.9.1. The line should look like this:


192.168.9.1:allow,RELAYCLIENT=""

This is what a typical smtp file should look like:


# vi /etc/tcp/smtp

Add the following to /etc/tcp/smtp:


192.168.9.:allow,RELAYCLIENT=""
:allow

Now run:


# gmake

and you should get an output saying:


tcprules smtp.cdb smtp.tmp < smtp
chmod 644 smtp.cdb smtp

Before we start qmail we need to setup a few symlinks for tls to work properly:

For amd64 users


# cd /usr/lib32
# ln -s libssl.so.8 libssl.so.7
# ln -s libcrypto.so.8 libcrypto.so.7

For i386 users


# cd /lib
# ln -s libssl.so.8 libssl.so.7
# ln -s libcrypto.so.8 libcrypto.so.7

Now lets create the SSL Service by running the following command:


# ln -s /var/qmail/supervise/qmail-smtpd-ssl /service/

Then check the tls service after about 5-10 seconds


# svstat /service/qmail-smtpd-ssl/ /service/qmail-smtpd-ssl/log/


/service/qmail-smtpd-ssl/: up (pid 37035) 9 seconds
/service/qmail-smtpd-ssl/log/: up (pid 37036) 9 seconds

Now lets create the TLS Service by running the following command:


# ln -s /var/qmail/supervise/qmail-smtpd-tls /service/

Then check the tls service after about 5-10 seconds


# svstat /service/qmail-smtpd-tls/ /service/qmail-smtpd-tls/log/


/service/qmail-smtpd-tls/: up (pid 37035) 9 seconds
/service/qmail-smtpd-tls/log/: up (pid 37036) 9 seconds

Starting the qmail services

Okay, lets start the qmail services.


# svc -t /service/* /service/*/log

Lets check to make sure qmail is running okay:


# svstat /service/* /service/*/log

You should get the following output:


/service/qmail-send: up (pid 96738) 8 seconds
/service/qmail-smtpd: up (pid 96743) 8 seconds
/service/qmail-smtpd-ssl: up (pid 96747) 8 seconds
/service/qmail-updater: up (pid 96739) 8 seconds
/service/qmail-send/log: up (pid 96749) 8 seconds
/service/qmail-smtpd-ssl/log: up (pid 96746) 8 seconds
/service/qmail-smtpd/log: up (pid 96745) 8 seconds
/service/qmail-updater/log: up (pid 96748) 8 seconds

Please note we're not using the qmailctl file. The new qmailctl file includes the services for spamd, freshclam, clamav and dovecot. These programs have not been installed yet. These will start working once the service directories are created. Provided qmail-send, qmail-smtpd and qmail-smtpd-ssl are running that is all we need to be concerned about for now.

it is important to note that if you use Microsoft Outlook to send mail via TLS you set the port to 587 but then under the section "Use the following type of encrypted connecttion" set this to AUTO.